Easy guide to certificate authorities

The internet has revolutionized every aspect of modern society, from business to communication to entertainment. High-speed internet access worldwide means finding the information we want is easier than ever before. But these perks come with some downsides, too.

Security issues arise when data is exchanged over the internet. The world wide web relies on trustworthy entities to keep everyone's data safe. All major web browsers, like Google Chrome and Firefox, use SSL certificates to safeguard any data sent from web servers and maintain the trust of people surfing the internet.

Certificates like SSL certificate underpin online security and privacy during our online communications. Data pinged across the internet is kept safe through encryption. Encryption scrambles the data into something completely meaningless to anyone except the intended recipient (the only party with a secret key to access the data).

You might have thought that SSL if just for e-commerce sites to protect payments. That’s no longer the case. SSL certificates are invaluable for every website - because all websites have something of value for hackers: their reputation.

Internet users today are savvy customers, recognizing when a site uses SSL. This digital certificate increases trust in a company’s website, and ultimately of the company itself. Reputation proves a compelling argument for setting up a secure site. Whether you collect data or accept payments, authentication, confidentiality, and integrity are indispensable in all cases.

Certificate authorities (CA) are entities responsible for issuing digital certificates like SSL to websites. In layman's terms, a digital certificate is an electronic password that allows exchange data securely over the web using the public key infrastructure (PKA) - which we’ll come to.

Why do sites need digital certificates?

Digital certificates are encrypted so they guarantee that the contents of a message have not been altered during communications. They contain data files used to verify identity credentials. This process offers websites a way to represent their ‘authentic’ online identity to avoid any other parties stealing their online identity.

In the eyes of web browsers, the site is authentic because the certificate authority has verified they are who they say they are. This way, the recipient of a message send with SSL encryption can expect that the data is coming from a trusted source.

The role of the certificate authority

CA’s ‘membership' programs were established where a certificate authority must meet strict criteria to gain membership. Once accepted, the trusted-CA can issue SSL Certificates, the ones that trusted by browsers, mobile devices, and operating systems to operate authorized and therefore the people and devices relying on their certificates.

The most important role of the certificate authority is to check the legitimacy of the individual or organization before issuing a certificate. There are a small number of certificate authorities worldwide, including RapidSLL, DigiCert, LetsEncrypt. The most recognized names in the CA industry are Symantec and Comodo. These brands sit at the top of the list of trusted certificate authorities.

Other parties involved

Certificate Authorities support the public key infrastructure (PKI). PKI is the system for creating, storing and distributing digital certificates that verify if a particular key belongs to a certain entity. PKI is made up of several layers who take on individual tasks. The Certificate Authority that stores issues and signs the certificate.

The registration authority that verifies the identity of the digital certificate to be stored at the CA. A secure location called the central directory stores and indexes encryption keys. A certificate management system that oversees things like access to or delivery of certificates, and a certificate policy that states the PKI’s procedures. This lets people scrutinize the PKI’s trustworthiness.

Trusted CAs hold the key to web security

PKI is a complex infrastructure for managing digital certificates and it would all fall apart without trusted certificate authorities. The problem that PKI solves stems from the difficulty of verifying that a public key is actually owned by the person or entity that claims it. Hence the use of digital certificates and PKI.

This is why we are so dependant on Certificate Authorities. If the PKI were to operate without CAs, the internet would revolve around a mass of unverified digital CA certificates, some of which could also be used maliciously. How would we know which was authentic when there’s no way to verify ownership of them. Without CA’s, anyone could misrepresent ownership of a digital certificate, website, or organization. Certificate forgers can cause a lot of damage, including but not limited to reading and steal sensitive data that is thought to be encrypted.

Most web-browsers are designed to help with detecting false digital signatures. Traffic coming from non-browser software or mobile apps, however, may not have been built to correctly check the legitimacy of an SSL certificate leaving their business and users wide open for abuse. The best way to avoid falling foul of this practice is to stay informed and go with a CA that has a good track record when it comes to security.

CAs are charged with proving ownership of digital certificates, and by extension, each certificate’s key. CAs work closely with the browsers community to create guidelines aimed at ensuring optimal web security. For this to run smoothly, they’ve invested heavily in their own infrastructure. Their reputation is critical for this process to work. Carefully crafted checks are in place that is capable of dependable identification verification and others to issue digital certificates properly.

How digital certificates are issued

After an SSL certificate is ordered, the certificate authority goes about verifying the identity of the applicant. The extent of their checks depends on the level of validation required. The two most common types of validation include Organisation Validation (OV) and Domain Validation (DV).

Company validation verifies that the organization requesting a certificate is, in fact, the organization to which the certificate is being issued. The aim of domain validation is to ensure that the individual requesting a certificate has the authority to request a certificate for the domain in question.

What do they check for?

For a basic Domain Validation certificate, a certificate authority checks ownership over the domain, and if the applicant passes their checks, a certificate is issued. Organization Validation involves more stringent checks. The CA will vet the organization applying though business registration records and credit reports. These extensive checks can take up to five days. Once the CA is satisfied, the certificate is issued.

It’s then up to web browsers and devices to verify the validity of a given certificate. Something called a ‘root’ certificate is at the center of this trust model. Once a root certificate is issued by a trusted CA a web browser accepts it into its root store – this is simply a database of approved CAs that come pre-installed with a browser or device. Most operating systems operate a root store including Apple, Windows, Mozilla Firefox and so on.

Who monitors certificate authorities

The certificate authority system has one obvious flaw. It’s assumed that CA themselves are trustworthy. While this might be the case, CA’s aren’t running unregulated. They operate within a framework of rules and require third-party qualified audits through WebTrust or ETSIand to be sure they are being adhered to. They are vetted for activities which might undermine trust in their operations. Anyone operating outside of the protocols will face negative consequences.

There are two sets of rules governing CAs. First are the browsers and applications that use of SSL digital certificates. Additionally, the browsers and certificate authorities jointly set rules through guidelines and requirements. These additional rules are approved by the CA/Browser Forum, and set the standard for public certificate authorities worldwide.

Recent developments

Trust in SSL has taken a hit in recent years. Cybercriminals have increasingly targeted internet users by finding ways to issue their own certificates. As it stands, the system isn’t perfect. There have been some high-profile examples of CA’s issuing unauthorized certificates. In response, Google established a digital certificate logging system known a Certificate Transparency (CT). The new systems require that all certificate authorities log every digital certificate they issue. These logs keep tabs on digital certificate suppliers that go rogue.

The CT project helps protect Google Chrome users. Now, anyone browsing the net through Chrome happens to lands on a website with an ‘unlogged’ SSL certificate will receive a warning message that the site’s SSL certificate isn’t compliant with Google Chrome’s transparency policy and as such, might not be safe.

Certificate authorities and the future of internet security

Logging SSL certificates is just the start of Google’s plan for a safer internet. You might have read the headline “Google wants to kill the URL.” It’s a hot topic on the tech blog scene and could provide a unique opportunity for CAs going forward. To briefly summarize; Google wants to get rid of URLs in a bid to make the internet safer. The problem with URLs is that they aren’t universally understood, and hackers take advantage of this to commit cybercrime.

Google is looking to find a suitable replacement that can make browsing the internet more secure while also offering a solution for businesses to assert their identity in a way that is unmistakable to internet users.

Who can help with that? Certificate authorities. They already have the infrastructure to validate online entities and can put this to use affirming corporate and web identities. Anyone operating a business online would make ample use of the more trusted mechanism. One that confirms their authenticity to customers or users in a clearer, more visual manner.

While the big browsers have the financial resources to take on this task, building up the know-how and apparatus would take a lot of time. Authenticating identities is probably not something most of the browser community would want to take responsibility for. The most logical answer is to outsource the authentication process. Given their expertise, the CA industry seems like the most likely candidates to turn to.

You may also like

SSL Certificates

Choose your level of validation and protect your users from identity theft today.

Get SSL Certificates

Further Reading

What is SSL?

Find out what that padlock symbol in your browser's address bar means and why you should care.

How does SSL work?

Discover the inner workings of the secured socket layer security protocol and how it keeps your data safe.

Does my site need SSL?

If you're wondering if you should invest in an SSL certificate, this guide can help.

Types of SSL certificates

The variety of SSL certificates can be daunting. Let your experts help you out.

How to use SSL for multiple domains

You don't need to buy a separate SSL ceritificate for every domain you have.

The difference between HTTP and HTTPS

There's more than a letter separating these two different ways that your computer connects to a website.

Managing e-Commerce security with SSL

Protect yourself and your customers every step of the way with secure socket layer technology.

What is a VPN?

Virtual Private Networks make your internet connection truly secure. Find out more about them and how they work.

Need help? We're always here for you.

Chat with a Live Person

× Close